KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Unusualsuspicious RTT Values Based On DNS Answers

Query

**Detect unusual/suspicious RTT values based on DNS Answers**

**Description:** Round Trip Time (RTT) analysis is a powerful value for threat hunting, revealing:

- C2 servers hosted in unusual locations (High RTT). (| where rtt > 100)
- Malware hiding inside local networks (Low RTT). (| where rtt < 5 )
- DNS tunneling activity based on RTT anomalies.
- Tor/VPN evasion techniques (RTT fluctuation detection).
- Compromised infrastructure using offshore hosting (Known malicious IPs with high RTT).

```
DeviceNetworkEvents
| extend TTLs = todynamic(tostring(parse_json(AdditionalFields).TTLs))
| mv-expand TTLs
| extend answers = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend answersext = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend rtt = todynamic(tostring(parse_json(AdditionalFields).rtt))
| extend query = (tostring(parse_json(AdditionalFields).query))
| mv-expand answers
| extend Type =
    case(
        answers matches regex @"^(\d{1,3}\.){3}\d{1,3}$", "IPv4",  
        answers matches regex @"^([a-fA-F0-9:]+)$", "IPv6",        
        answers contains ".", "URL",                               
        "Unknown"                                                 
    )
| where Type has "IPv4"
| extend tostring(answers)
| extend Geo_info_answer = tostring(geo_info_from_ip_address(answers).country)
| extend Geo_info_RemoteIP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where rtt > 100
| project   DeviceName, RemoteIP,answers,Geo_info_RemoteIP, Geo_info_answer,rtt, TTLs
```

Explanation

This query is designed to detect unusual or suspicious Round Trip Time (RTT) values in DNS responses, which can be indicative of various network threats or anomalies. Here's a simplified breakdown of what the query does:

  1. Extract and Process Data:

    • It starts by extracting additional fields from network events, specifically focusing on TTLs (Time to Live), DNS answers, and RTT values.
    • The query expands these fields to handle multiple values within them.

  2. Identify Answer Types:

    • It categorizes the DNS answers into types such as IPv4, IPv6, URL, or Unknown based on their format.

  3. Filter for IPv4 Addresses:

    • The query specifically looks at answers that are IPv4 addresses.

  4. Geolocation Information:

    • It retrieves geolocation information for both the DNS answer and the remote IP address, identifying the countries associated with these IPs.

  5. Detect High RTT Values:

    • The query filters for DNS responses with RTT values greater than 100 milliseconds, which might indicate unusual network behavior, such as communication with command and control servers in distant locations.

  6. Output Relevant Information:

    • Finally, it projects (selects) relevant information to display, including the device name, remote IP, DNS answer, geolocation of the remote IP and DNS answer, RTT, and TTLs.

In summary, this query is used to identify potential network threats by analyzing DNS responses with high RTT values, which could suggest suspicious activities like communication with remote servers or compromised infrastructure.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 14, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsAdditionalFieldsRemoteIPGeoInfoCountry

Operators

extendtodynamictostringparse_jsonmv-expandcasematches regexcontainswherehasgeo_info_from_ip_addressproject

Actions